HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

161

162

163

164

165

166

167

168

169

170

3. If you must transmit alert information to another system, set up your own secure

communication process.

4. If a response program has its setuid or setgid bit set, it runs as that effective user or

group. It is a good practice to restrict setuid and setgid programs to the absolute minimum

necessary. For more information, see “Writing Privileged Response Programs” (page 167).

5. When a response program is started, the agent process provides it with a set of environment

variables listed in Table B-9, and passes the alert information as program arguments listed

in Table B-1. Tables B-1 to B-6 for the alert information passed as arguments 0 through 9 for

each template.

Table B-1 Additional Arguments Passed to Response Programs for Kernel Template Alerts

DescriptionAlert Value/FormatAlert Field TypeAlert FieldResponse

Program

Argument

System call number that triggered

the alert. Corresponds to a number

defined in scall_define.h.

<syscall#>

IntegerSystem Call #

argv[10]

Process ID (pid) of the attacker

<pid>

IntegerAttacker

Process ID

argv[11]

Parent process ID (ppid) of the

attacker

<ppid>

IntegerAttacker Parent

Process ID

argv[12]

User ID (uid) of the attacker

<uid>

IntegerAttacker User

argv[13]

Group ID (gid) of the attacker

<gid>

IntegerAttacker Group

argv[14]

Effective user ID (euid) of the

attacker

<euid>

IntegerAttacker

Effective User

argv[15]

Effective group ID (egid) of the

attacker

<egid>

IntegerAttacker

Effective Group

argv[16]

Full pathname of the file under

attack

StringPathname of

Target File

argv[17]

File type of the file under attack.

Corresponds to an enum vtype

value defined in vnode.h.

<type>

IntegerTarget File Type

argv[18]

Mode of file under attack

<mode>(decimal)

IntegerTarget File

Mode

argv[19]

Owner of the file (uid) under attack

<uid>

IntegerTarget File

Owner

argv[20]

Group of the file (gid) under attack

<gid>

IntegerTarget File

Group

argv[21]

Inode number of the file under attack

<inode>

IntegerTarget File

Inode

argv[22]

Device number of the file under

attack

IntegerTarget File

Device

argv[23]

Full pathname of the attack program

StringPathname of

attack program

argv[24]

File type of the attack program.

Corresponds to an enum vtype

value defined in vnode.h.

<type>IntegerAttack Program

Type

argv[25]

How Automated Response Works in HP-UX HIDS 161